By Christopher Kolmos, Transatlantic Analyst
Source: ENISA, "Regional Cybersecurity Forum for Europe," accessed February 24, 2021, https://www.enisa.europa.eu/news/enisa-news/regional-cybersecurity-forum-for-europe
Cybersecurity is a vital area for cooperation between NATO and the EU. The two organizations have substantially improved their cybersecurity cooperation over the years, but issues related to information-sharing – particularly sharing classified information – continue to hinder their efforts. NATO and the EU lack official channels to share classified information, a result of distrust between the two organizations. In order to improve information-sharing, NATO and the EU ought to build trust by creating shared standards and practices for storing information – particularly by handling private information and using cloud computing – along with official channels to share classified information.
Cyber Cooperation
The Past
Over the years, cybersecurity has become a top priority for both NATO and the EU. Case in point: Russian cyberattacks in Estonia in 2007, and in Ukraine during the 2014 annexation of Crimea and the ongoing War in Donbass.[1] In response to these events both NATO and the EU bolstered their cyber capabilities by working together to deal with cyber threats. In 2016 there were two major breakthroughs. First, in February the two organizations signed a “Technical Agreement on Cyber Defence,” which created a framework for cooperation and information-sharing between the NATO Computer Incident Response Capability (NCIRC) and the Computer Emergency Response Team of the EU (CERT-EU).[2] Second, in July NATO and the EU signed a joint declaration which, among other things, pledged to “Expand our coordination on cyber security and defence [sic] including in the context of our missions and operations, exercises and on education and training.”[3] Since then, NATO and the EU issued yearly progress reports on their efforts at cyber cooperation, and continued to increase their cooperation in areas such as training and holding joint exercises. For instance, 2017 marked the first year that EU cyber defense staff participated in NATO’s Cyber Coalition exercise, which tests NATO’s cyber defense capabilities and the ability of member states to cooperate with each other.[4] To date, EU staff continues to participate in Cyber Coalition exercises.[5]
The Present
Cyberattacks have long been on the rise, and as computers and information technology become more vital, these attacks are only going to increase. In particular, the COVID-19 pandemic has increased the global dependence on cyberspace, leading to an increase in the frequency of cyberattacks.[6] For example, cybercriminals are increasingly targeting remote workers, hoping remote workers provide vulnerabilities that do not exist at the office where companies better control the infrastructure.[7] The banking sector has been heavily impacted, with banks reporting nearly three times as many cyberattacks targeting their employees, usually through phishing emails.[8] This trend is expected to continue even after the COVID-19 pandemic.[9] State-sponsored cyberattacks also represent a serious threat, as demonstrated by the recent SolarWinds hack allegedly carried out by Russia against the US.[10] In this hostile environment more cooperation between NATO and the EU is critical in order to ensure transatlantic, and even global, security. However, poor information-sharing – particularly classified information – creates a “glass ceiling...whereby the current level of cooperation is inherently constrained, and has in practice remained un-strategic.”[11] As a result, improving information-sharing is a key first step to building better cooperation and creating a more secure environment in cyberspace.
Information-Sharing Issues
Although NATO and the EU have made great progress improving cyber cooperation, issues with sharing information – particularly classified information – have hindered their efforts. Currently, the two organizations lack official channels for sharing classified information.[12] There are several reasons for this rift, most notably a lack of trust between NATO and the EU via different standards and practices in sharing and storing information.[13] As will be discussed below, two essential differences are the handling of private information and the use of cloud computing.
Private Information
When it comes to handling private information, EU member states are bound by the General Data Protection Regulation (GDPR), which codifies that citizens have the right to data protection and lays out rules governing how organizations can collect and store personal information.[14] However, NATO is not bound by GDPR regulations. In particular, NATO member states who are not part of the EU have zero obligations to follow these rules.[15] For example, the GDPR strengthens protections related to the “right to be forgotten,” in which EU citizens can demand that their personal data be deleted. But, the “right to be forgotten” does not exist in the US.[16] This circumstance creates concerns that NATO and its non-EU member states may not respect the privacy of EU citizens.[17] For instance, in July 2020 the European Court of Justice (CJEU) ruled that mass surveillance of digital data carried out by the US National Security Agency (NSA) violates the privacy right of EU citizens, as EU citizens have no recourse under US law to challenge the collection of their data.[18] This ruling invalidated the US-EU Privacy Shield, which was designed to allow personal data to be transferred to the US, and was a key part of transatlantic digital trade.[19]
Cloud Computing
Meanwhile, both NATO and the EU are turning to cloud computing as a platform to coordinate operations and store information.[20] However, their standards and practices are dissimilar in scope and nature. NATO’s cloud regulations are focused on ensuring security and interoperability in a military environment. Moreover, NATO’s guidelines for cloud computing include its Federated Mission Networking (FMN) standards, which “establishes the framework for cooperation between command-and-control networks for coalition forces.”[21] And FMN standards for cloud computing security mandate that all affiliates use a variety of cryptographic algorithms, including the Advanced Encryption Standard, a type of cipher that encrypts data in multiple rounds and is the standard for the US government and military.[22] By contrast, the EU’s cloud regulations are focused on ensuring cloud security for businesses and consumers. The main regulation is the EU Code of Conduct for Cloud Service Providers, which does not provide specific security measures that need to be taken, but instead mandates companies’ security be compliant with ISO 27001.[23] ISO 27001 establishes a process to create an information security management system, including creating a risk assessment system producing “consistent, valid and comparable results.”[24] In regard to government clouds, the EU does not have specific regulations, but does offer a guide for best practices using the Plan-Do-Check-Act (PDCA) model. In the PDCA’s four phases, governments first determine what they need to cloudify and what risks there are; select necessary security controls and implement them; review the measures after implementation to see what problems have arisen; and finally act on those problems.[25] Without EU-wide regulations governing military cloud computing, it is difficult for NATO to share information for fear of information ending up on clouds not compliant with its own security standards.
Recommendations for NATO and the EU
Given the lack of trust between NATO and the EU, the first step to improving information-sharing is to increase the two organizations’ faith in each other. As mentioned above, standards and practices related to collecting and storing private data and the use of cloud computing are two areas where NATO and the EU have serious differences. Therefore, creating shared standards and practices for securing classified information is the best way to bridge this transatlantic cyber rift.
Private Information
To deal with issues surrounding private information, NATO and the EU should work together to create a data protection framework for NATO that meets minimum standards to protect data. The first step in this direction is creating a permanent forum to deal with data protection issues, such as the EU-US Trade and Technology Council (TTC). In December 2020, the EU proposed the TTC to serve as a forum for the US and EU to deal with issues related to emerging technology and trade standards.[26] The TTC would bring together representatives from the European Commission, members of US departments and agencies, and private industry representatives.[27]
One of the TTC’s first remits should be to revive the US-EU Privacy Shield. This act will remove hurdles to US-EU trade, demonstrate that both sides can and will work together, and allow them to coordinate their response to the CJEU’s decision in July 2020. Another important step is creating redress for EU citizens whose data is collected by US intelligence agencies. For example, making improvements to the Privacy Shield Ombudsperson, a position created to handle complaints and provide redress.[28] In fact, the CJEU declared that the Privacy Shield Ombudsperson was ineffective because the position – appointed by the US President – lacked independence.[29] In turn, the US could agree to make the position independent by establishing a new position via Congress.[30] After the US-EU Privacy Shield is renegotiated, the TTC can act as a forum for future negotiations between the two sides, such as handling the digital standards and data privacy portion of any future trade negotiations. In addition, having the US and EU agree on standards will encourage other NATO members, and perhaps non-EU member states, to follow suit. Nevertheless, there are problems with the TTC. After all, the TTC would be a forum to negotiate on a wide variety of issues related to trade and technology, including digital taxation and 5G.[31] Thus, certain issues could derail the TTC’s discussions on digital privacy and data protection.
Cloud Computing
Meanwhile, the first step to developing shared standards and practices for military cloud computing is to develop EU standards. A sound starting point is by creating a new project to develop standards on how EU member states’ militaries use cloud computing through the Permanent Structured Cooperation (PESCO), a program in which EU member states collaborate on projects to improve security.[32] Given that NATO has much more advanced military cloud computing capabilities than the EU, NATO should assist in developing these standards and practices. For example, the Defence and Related Security Capacity Building (DCB) Initiative, which helps NATO partners, non-partners, and international organizations improve their security and defense capabilities. In theory, the EU would first request NATO’s help with cloud computing. Then, if approved via the North Atlantic Council, NATO would send funds, advisors and technical experts.[33] Furthermore, the two largest issues NATO should help the EU with are creating standards for security and interoperability. For security, this means developing standards around encryption, such as NATO recommending the EU use the Advanced Encryption Standard that it uses. For interoperability, this means ensuring all systems use a similar Application Program Interface (API), or APIs, which defines a list of possible commands and the format to issue those commands, thus allowing programs to interact with one another.[34] EU member states must also use APIs compatible with one another and with NATO member states.
The advantage of the aforementioned approach is that it allows the EU to develop cloud computing capabilities compatible with NATO – capabilities that both sides consider secure. By the same token, our approach creates a framework that the two sides can use to work together on other emerging technologies. Yet there are some problems with this proposal. First, the US may not be willing to assist the EU, as some US government officials have worried that EU military efforts will lead to “duplication, non-interoperable military systems, diversion of scarce defense resources, and unnecessary competition between NATO and the EU.”[35] The issue of duplication and non-interoperability would not be an issue here. But, the other two problems may be enough to convince US officials that cooperation is not in their best interest. The second problem is that the EU may be reluctant to seek NATO’s help, due to fears that NATO could impede digital sovereignty. A third problem is that US companies – which, in 2019, controlled about 70% of the world market – are too dominant in the cloud computing sector, and this dependence puts the autonomy of European data at risk.[36] Finally, allowing NATO to help set standards and practices may be seen as “Americanizing” European defense clouds while increasing dependence on American firms. Despite these potential setbacks, NATO and the EU must overcome mutual distrust and apprehension if they aim to conquer cyber security concerns.
Creating a Platform
Once trust has been established, NATO and the EU should create official channels to share classified information. First, these two organizations must determine what information can be shared, who can receive the information, and what sort of framework will exist for sharing this information.[37] Sharing classified information requires NATO and the EU to develop a shared classification scheme, ensuring individuals above a certain security clearance can access information. Subsequently, the two organizations would have to determine what types of devices can access the platform. For example, allowing portable electronic devices to access the platform fosters remote work, but also enables more cyberattacks.[38] The second step is to create a security architecture for this platform. One possible piece of security architecture comes from the US Department of Defense’s Comply to Connect Program (C2C). C2C verifies that a device which attempts to connect to a network is authorized to do so and is compliant with security policies.[39] This verification process prevents unauthorized users or potentially compromised endpoints from accessing classified information. C2C also monitors all devices accessing the network, allowing the administrator to know who is using the network without having to manually update a list.[40] The main disadvantage of C2C is that it is currently being used on a limited scale, and it is not entirely clear how it will work across the entire Department of Defense, much less on a transnational level.[41] But once a platform is up and running, it is necessary to create mechanisms for getting user feedback, including surveys and allowing users to submit error reports – allowing NATO and the EU to assess how well the platform is working and fix any problems that emerge.[42]
Conclusion – Bridging the Transatlantic Cyber Rift
NATO and the EU ought to create shared standards and practices for sharing information, particularly in the areas of handling private information and using cloud computing. To deal with the problem of handling private information, the two organizations should create and utilize a forum, such as the TTC. Moreover, the TTC could help renegotiate the US-EU Privacy Shield Agreement. To deal with the problem of cloud computing, the EU should create standards and practices related to military cloud computing, best done by a project such as PESCO. NATO could then assist the EU in developing these standards, using the DCB Initiative as the framework for aid. Lastly, the two organizations should create official channels to share classified information, making sure to create a shared classification system while setting up a security architecture to protect classified information. These recommendations will dramatically improve the security of both NATO and the EU, creating a groundwork for the two organizations to develop better cooperation to deal with security threats inside – and even outside – the cyber domain.
[1] Bruno Lété and Piret Pernik, “EU–NATO Cybersecurity and Defense Cooperation: From Common Threats to Common Solutions,” German Marshall Fund, Policy Brief, No. 38, December 2017, https://www.gmfus.org/sites/default/files/publications/pdf/EU-NATO%20Cybersecurity%20and%20Defense%20Cooperation%20edit.pdf.
[2] North Atlantic Treaty Organization, “Cyber defence,” September 25, 2020, https://www.nato.int/cps/fr/natohq/topics_78170.htm?selectedLocale=en#:~:text=On%205%20December%202017%2C%20NATO,including%20cyber%20security%20and%20defence.
[3] North Atlantic Treaty Organization, “Joint declaration by the President of the European Council, the President of the European Commission, and the Secretary General of the North Atlantic Treaty Organization,” July 8, 2016, https://www.nato.int/cps/en/natohq/official_texts_133163.htm.
[4] European Commission, “Third progress report on the implementation of the common set of proposals endorsed by NATO and EU Councils on 6 December 2016 and 5 December 2017,” May 31, 2018, https://www.consilium.europa.eu/media/35578/third-report-ue-nato-layout-en.pdf.
[5] Ibid.; and “Exercise Cyber Coalition 2020,” Supreme Headquarters Allied Powers Europe Public Affairs Office, November 16, 2020, https://shape.nato.int/news-releases/exercise-cyber-coalition-2020.
[6] European Union Agency For Cybersecurity, “ETL 2020 – The year in review,” https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/etl-review-folder/etl-2020-the-year-in-review/view.
[7] Scott Ikeda, “New Security Report Breaks Down Increase in Cyber Attacks Due to Remote Work; Lack of Training, Overwhelmed IT Departments are the Main Issues,” CPO Magazine, October 16, 2020, https://www.cpomagazine.com/cyber-security/new-security-report-breaks-down-increase-in-cyber-attacks-due-to-remote-work-lack-of-training-overwhelmed-it-departments-are-the-main-issues/.
[8] Rico Brandenburg and Paul Mee, “Cybersecurity for a Remote Workforce,” MIT Sloan Management Review, July 23, 2020, https://sloanreview.mit.edu/article/cybersecurity-for-a-remote-workforce/.
[9] European Union Agency For Cybersecurity, “ETL 2020 – The year in review.”
[10] Tom O’Connor, “NATO Assessing Damage from SolarWinds Hack, Canada Issues Alert,” Newsweek, December 15, 2020, https://www.msn.com/en-us/news/world/nato-assessing-damage-from-solarwinds-hack-canada-issues-alert/ar-BB1bXaMf.
[11] “The EU and NATO: The essential partners,” edited by Gustav Lindstrom and Thierry Tardy, European Union Institute for Security Studies, 2019, https://www.iss.europa.eu/sites/default/files/EUISSFiles/EU%20and%20NATO.pdf.
[12] Lété, “Cooperation in cyberspace.”
[13] Ibid.
[14] Zdeněk Hýbl, “GDPR and NATO Centres of Excellence,” in NATO Legal Gazette, Issue 39, May 2019, https://www.act.nato.int/images/stories/media/doclibrary/legal_gazette_39.pdf.
[15] Ibid.
[16] David L. Hudson Jr., “Right to Be Forgotten,” The First Amendment Encyclopedia, 2017, https://www.mtsu.edu/first-amendment/article/1562/right-to-be-forgotten.
[17] Hýbl, “GDPR and NATO Centres of Excellence.”
[18] Joshua P. Meltzer, “Why Schrems II requires US-EU agreement on surveillance and privacy,” Brookings Institution, December 8, 2020, https://www.brookings.edu/techstream/why-schrems-ii-requires-us-eu-agreement-on-surveillance-and-privacy/.
[19] “EU-US Privacy Shield for data struck down by court,” BBC News, July 16, 2020, https://www.bbc.com/news/technology-53418898.
[20] Teri Schultz, “NATO embraces cloud computing,” Deutsche Welle, February 7, 2011, https://www.dw.com/en/nato-embraces-cloud-computing/a-14824382; and “Cloud computing,” Shaping Europe’s digital future, European Commission, February 18, 2021, https://ec.europa.eu/digital-single-market/en/cloud-computing.
[21] “NATO selects Thales to Supply Its First Defence Cloud for the Armed Forces,” Express Computer, January 27, 2021, https://www.expresscomputer.in/news/nato-selects-thales-to-supply-its-first-defence-cloud-for-the-armed-forces/72213/.
[22] Rūta Rimkienė, “What is AES encryption and how does it work?,” CyberNews, December 11, 2020, https://cybernews.com/resources/what-is-aes-encryption/; and “Spiral 4 Standards Profile,” Federated Mission Networking, April 12, 2019, https://storage.nisp.nw3.dk/20190412_Proposed_FMN_Spiral_4_Standards_Profile.pdf.
[23] EU Cloud Code of Conduct, Version 2.6, March 2020, https://eucoc.cloud/en/contact/request-the-eu-cloud-code-of-conduct.html.
[24] “Information Security & ISO 27001: An introduction,” IT Governance, Green Paper, October 2019, https://www.itgovernance.co.uk/green-papers/information-security-and-iso-27001-an-introduction.
[25] European Union Agency for Network and Information Security, “Security Framework for Governmental Clouds,” February 2015, https://www.enisa.europa.eu/publications/security-framework-for-governmental-clouds.
[26] European Commission, “JOINT COMMUNICATION TO THE EUROPEAN PARLIAMENT, THE EUROPEAN COUNCIL AND THE COUNCIL: A new EU-US agenda for global change,” December 2, 2020, https://ec.europa.eu/info/files/joint-communication-new-eu-us-agenda-global-change_en.
[27] Erik Brattberg, “Reinventing Transatlantic Relations on Climate, Democracy, and Technology,” Carnegie Endowment for International Peace, December 23, 2020, https://carnegieendowment.org/2020/12/23/reinventing-transatlantic-relations-on-climate-democracy-and-technology-pub-83527.
[28] Mark Young and Sam Jungyun Choi, “Privacy Shield Ombudsperson Confirmed by the Senate,” Inside Privacy, June 25, 2019, https://www.insideprivacy.com/cross-border-transfers/privacy-shield-ombudsperson-confirmed-by-the-senate/.
[29] Sam Sabin, “With Privacy Shield Data Pact Nullified, Ex-Commerce Officials Suggest Ways U.S. and E.U. Can Craft a New Deal,” Morning Consult, July 31, 2020, https://morningconsult.com/2020/07/31/privacy-shield-hurdles-us-eu-commerce/.
[30] Ibid.
[31] Brattberg, “Reinventing Transatlantic Relations on Climate, Democracy, and Technology.”
[32] “About PESCO,” European Commission, https://pesco.europa.eu/.
[33] North Atlantic Treaty Organization, “Defence and Related Security Capacity Building Initiative,” March 23, 2020, https://www.nato.int/cps/en/natohq/topics_132756.htm#:~:text=The%20Defence%20and%20Related%20Security%20Capacity%20Building%20%28DCB%29,therefore%2C%20contributes%20to%20the%20security%20of%20the%20Alliance.
[34] Calum McClelland, “What is an API? - A Simple, Non-Technical Explanation,” Leverege, January 12, 2017, https://www.leverege.com/blogpost/what-is-an-api.
[35] Jacopo Barigazzi and Joshua Posaner, “EU to US: Don’t worry about our military plans,” Politico, May 16, 2019, https://www.politico.eu/article/european-military-defense-army-nato/.
[36] Daniel Fiott, “Digitising Defence: Protecting Europe in the age of quantum computing and the cloud,” European Union Institute for Strategic Studies, Brief 4, March 2020, https://www.iss.europa.eu/sites/default/files/EUISSFiles/Brief%204%20Defence.pdf.
[37] Lété, “Cooperation in cyberspace.”
[38] Information Technology Services, “Security Breach Examples and Practices to Avoid Them,” UC Santa Cruz, https://its.ucsc.edu/security/breaches.html.
[39] “Understanding Comply-to-Connect (C2C) And U.S. Department of Defense requirements,” Cisco, 2018, https://www.cisco.com/c/dam/en_us/solutions/industries/docs/fed-dod-comply2connect.pdf.
[40] Ibid.
[41] Aaron Boyd, “Pentagon Wants to Scale Up Its Device Security Program,” Nextgov, June 17, 2020, https://www.nextgov.com/cybersecurity/2020/06/pentagon-wants-scale-its-device-security-program/166225/.
[42] Chris Johnson et. al., “Guide to Cyber Threat Information Sharing,” National Institute of Standards and Technology, U.S. Department of Commerce, October 2016, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf.